<?php
/*****************************************************************************\
+-----------------------------------------------------------------------------+
| X-Cart                                                                      |
| Copyright (c) 2001-2007 Ruslan R. Fazliev <rrf@rrf.ru>                      |
| All rights reserved.                                                        |
+-----------------------------------------------------------------------------+
| PLEASE READ  THE FULL TEXT OF SOFTWARE LICENSE AGREEMENT IN THE "COPYRIGHT" |
| FILE PROVIDED WITH THIS DISTRIBUTION. THE AGREEMENT TEXT IS ALSO AVAILABLE  |
| AT THE FOLLOWING URL: http://www.x-cart.com/license.php                     |
|                                                                             |
| THIS  AGREEMENT  EXPRESSES  THE  TERMS  AND CONDITIONS ON WHICH YOU MAY USE |
| THIS SOFTWARE   PROGRAM   AND  ASSOCIATED  DOCUMENTATION   THAT  RUSLAN  R. |
| FAZLIEV (hereinafter  referred to as "THE AUTHOR") IS FURNISHING  OR MAKING |
| AVAILABLE TO YOU WITH  THIS  AGREEMENT  (COLLECTIVELY,  THE  "SOFTWARE").   |
| PLEASE   REVIEW   THE  TERMS  AND   CONDITIONS  OF  THIS  LICENSE AGREEMENT |
| CAREFULLY   BEFORE   INSTALLING   OR  USING  THE  SOFTWARE.  BY INSTALLING, |
| COPYING   OR   OTHERWISE   USING   THE   SOFTWARE,  YOU  AND  YOUR  COMPANY |
| (COLLECTIVELY,  "YOU")  ARE  ACCEPTING  AND AGREEING  TO  THE TERMS OF THIS |
| LICENSE   AGREEMENT.   IF  YOU    ARE  NOT  WILLING   TO  BE  BOUND BY THIS |
| AGREEMENT, DO  NOT INSTALL OR USE THE SOFTWARE.  VARIOUS   COPYRIGHTS   AND |
| OTHER   INTELLECTUAL   PROPERTY   RIGHTS    PROTECT   THE   SOFTWARE.  THIS |
| AGREEMENT IS A LICENSE AGREEMENT THAT GIVES  YOU  LIMITED  RIGHTS   TO  USE |
| THE  SOFTWARE   AND  NOT  AN  AGREEMENT  FOR SALE OR FOR  TRANSFER OF TITLE.|
| THE AUTHOR RETAINS ALL RIGHTS NOT EXPRESSLY GRANTED BY THIS AGREEMENT.      |
|                                                                             |
| The Initial Developer of the Original Code is Ruslan R. Fazliev             |
| Portions created by Ruslan R. Fazliev are Copyright (C) 2001-2007           |
| Ruslan R. Fazliev. All Rights Reserved.                                     |
+-----------------------------------------------------------------------------+
\*****************************************************************************/

#
# $Id: security.php,v 1.19.2.11 2007/09/03 06:12:00 zaa Exp $
#

if ( !defined('XCART_SESSION_START') ) { header("Location: ../"); die("Access denied"); }

if (empty($login)) {
	func_header_location("error_message.php?access_denied&id=37");
}

#
# Form id checking
#
if (defined("AREA_TYPE") && !empty($login) && in_array(constant("AREA_TYPE"), array("A", "P")) && function_exists("func_generate_formid")) {

	# Check posted form id
	$posted_formid = true;
	if ($REQUEST_METHOD == 'POST' && !defined("FORM_ID_DISABLED")) {
		if (!func_check_formid()) {
			$top_message = array(
				"content" => func_get_langvar_by_name("txt_formid_is_wrong", array("length" => $formids_length)),
				"type" => "W"
			);

			func_header_location(empty($HTTP_REFERER) ? "home.php" : $HTTP_REFERER);
		}

		$posted_formid = $HTTP_POST_VARS['_formid'];
		func_unset($HTTP_POST_VARS, "_formid");
		if (isset($GLOBALS['_formid']))
			unset($GLOBALS['_formid']);
	}

	# Form id order checking
	$formids_length = defined("FORM_ID_ORDER_LENGTH") ? intval(constant("FORM_ID_ORDER_LENGTH")) : 100;
	if ($formids_length < 1 || !is_int($formids_length))
		$formids_length = 100;

	if ($formids_length < 2) {
		db_query("DELETE FROM $sql_tbl[form_ids]");

	} else {
		$expire = func_query_first_cell("SELECT expire FROM $sql_tbl[form_ids] WHERE sessid = '$XCARTSESSID' ORDER BY expire DESC LIMIT ".($formids_length-1).", 1");
		if (!empty($expire))
			db_query("DELETE FROM $sql_tbl[form_ids] WHERE expire <= '$expire'");
	}
}

if ($user_account["flag"] == "FS") {
	$_fulfillment_scripts = array(
		"orders.php",
		"order.php",
		"generator.php",
		"statistics.php",
		"register.php",
		"help.php",
		"process_order.php",
		"popup_product.php",
		"anti_fraud.php",
		"import.php",
		"get_export.php"
	);

	if (!preg_match("/(?:^|\/)([\w\d_]+\.php)\??(.*)/", $REQUEST_URI, $_fulfillment_match) || !in_array($_fulfillment_match[1], $_fulfillment_scripts))
		func_header_location("error_message.php?access_denied&id=37");

	if ($_fulfillment_match[1] == 'statistics.php' && $mode == 'logins')
		func_header_location("error_message.php?access_denied&id=37");
}

if (!empty($user_account["flag"])) {
	$smarty->assign("current_membership_flag", $user_account["flag"]);
}
?>
